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PAST PUBLICATIONS: 



Pervasive insecurity of embedded Network 
Devices. [RAID10] 

• A Quantitative analysis of the insecurity 
of Embedded Network devices. [ACSAC10] 

Killing the Myth of Cisco IOS Diversity 
Towards reliable large-scale Exploitation 
of Cisco ios. iusenix woot li] 

DEFENDING LEGACY EMBEDDED SYSTEMS WITH 

Software Symbiotes. [RAlDll] 

From Prey to Hunter Transforming 
legacy Embedded devices into 
Exploitation Sensor Grids. [ACSAC11] 
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PAST EMBEDDED TlNKE RINGS: 



INTERRUPT-HIJACK CISCO IOS ROOTKIT 

HP LaserJet Printer rootkit 
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Interrupt- Hi jack Shellcode 

[BLACKHATUSA 2011] 



• 2 ND ~STAGE: EXCEPTION HIJACK AND IOMEM SNOOPING 
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2nd-stage shellcode: init 



IOMEM Packet 
Scrubber 



2nd-stage shellcode: exit 



eret 



ISR #N 



Load Code 



Execute Code 



Exfiltrate Data 



• THE (MIPS) ERET, OR 

Exception- Return is an 

architecture 

invariant 

• isr entry point is a 
binary invariant, 
typically found at 

0X600080180, ETC 

• CAN JUST HIJACK ENTRY 
POINT, BUT THERE IS AN 
ULTERIOR MOTIVE 

• USE ERET LOCATIONS IN 
THE IMAGE TO 
FINGERPRINT IOS 
VERSION 



iNTERRUPT-HlJACK SHELLCODE FREES US FROM THE 
TYRANNIES OF THE WATCHDOG TIMER. 

PERPETUAL STEALTHY EXECUTION! 
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Unpack, Analyze, Modify, repack: Cisco ios 



test_img = " . . //test -data/ cisco-ios/ c72Q0-a3jk9s -mz. 124- 2 5d.bin" 
fmObj = Fi rmwareOb] ec t (f Name = tes t_i mg) 

fmOb] . registerUnpacker(FrakUripackerFactory.giveUripacker( M cisco-ios-unpacker" )) 
f mObj . unpack( ) 

childOb] = fmObj .getFi rmwareOb] (VI") 

chi Id Ob] . registerUnpacker(FrakUnpackerFactory.giveUnpacker("generic-unzip-unpacker")) 
chi IdObj . unpack( ) 

meat = fmObj .getFi rmwareOb] ( '/I/O' ) 

meat.registerModifierCFrakModifierFactory.giveModifierC'cisco-ios-showversion-modifier')) 
meat . modi f y ( ) 

chi IdObj . regi s ter Packer (FrakPackerFac tory . gi vePacker ( "pkzi p- packer " ) ) 
chi IdObj . pack( ) 

f mObj . regi s ter Packer (FrakPackerFac tory . gi vePacker ( "ci sco-i os- packer " ) ) 
result = fmObj . pack( ) 

print " tada! " 
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Demos 



• PACKER/REPACKER FOR CISCO IOS, HP-RFU 

• AUTOMAGIC BINARY ANALYSIS 

• IDA-PRO INTEGRATION 

• ENTROPY-RELATED ANALYSIS 

• Automated IOS/RFU rootkit injection 
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ane Name: help 



Avai Table 



- unpacker_add | Uc 

- help 

- f i rmware_analyze 

- unpacker_remove | 

- f i rmware_i mpor t | 

- f i rmware_unpack j 

- f i rmware_expor t j 

- qui t 

- modi f i er_remove | 

- toggle_debug | dt 

- exi t 

- show_panes 

- fi rmware_load | 1 

- packer_list | pi 

- analysi s_show | c 

- analyzer_add | as 

- packer_add | pa 

- f i rmware modi f y I 



i mpor t 



export 



- f i rmware_show | f s 

- modi f i er_li s t j ml 

- set_pane 

- f i rmware_pack | f p | 

- modi fi er_add | ma 

- clear 

- q 

- toggle_verbose | vb 

- unpacker_li s t | ul 

- analyzer_li s t | al 

- toggle_au to_analysi s 



Last Cmd : h Last Status: command not found 



frak is still wip. for early access 

Contact 

frak-request@redballoonsecurity.com 
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